From a4f747c6ee9048f4c7e98e4a1db44a3987cc93da Mon Sep 17 00:00:00 2001 From: Manuel Bluhm Date: Thu, 4 Apr 2024 20:51:36 +0400 Subject: [PATCH] Hardware re-factoring: - moved hardware from common to a flake-module - re-factored 'generation' as parameter to hardware definition - quick fixed network device required in desktop stack (hw definition not available in vm namespaces) - fix references to modules/common/hardware Signed-off-by: Manuel Bluhm --- .reuse/dep5 | 4 +- docs/src/architecture/hardening.md | 10 +-- modules/common/default.nix | 1 - .../lenovo-x1/definitions/default.nix | 52 -------------- modules/desktop/graphics/default.nix | 1 + modules/desktop/graphics/hardware.nix | 14 ++++ modules/desktop/graphics/waybar.config.nix | 2 +- modules/flake-module.nix | 5 +- .../{common => }/hardware/ax88179_178a.nix | 0 modules/{common => }/hardware/definition.nix | 0 modules/hardware/flake-module.nix | 15 ++++ .../lenovo-x1}/default.nix | 5 +- .../lenovo-x1/definitions/default.nix | 69 +++++++++++++++++++ .../lenovo-x1/definitions/x1-gen10.nix | 0 .../lenovo-x1/definitions/x1-gen11.nix | 0 .../lenovo-x1/kernel/guest/test/default.nix | 0 .../kernel/guest/test/test-configuration.nix | 0 .../hardware/x86_64-generic/default.nix | 1 + .../configs/ghaf_host_hardened_baseline-x86 | 0 .../kernel/guest/configs/display-gpu.config | 0 .../kernel/guest/configs/guest.config | 0 .../x86_64-generic/kernel/guest/default.nix | 0 .../x86_64-generic/kernel/hardening.nix | 0 .../kernel/host/configs/debug.config | 0 .../kernel/host/configs/networking.config | 0 .../kernel/host/configs/usb.config | 0 .../host/configs/user-input-devices.config | 0 .../kernel/host/configs/virtualization.config | 0 .../x86_64-generic/kernel/host/default.nix | 2 +- .../kernel/host/pkvm/default.nix | 0 .../kernel/host/pkvm/test/default.nix | 0 .../host/pkvm/test/test-configuration.nix | 0 .../kernel/host/test/default.nix | 0 .../kernel/host/test/test-configuration.nix | 0 .../x86_64-generic}/x86_64-linux.nix | 0 nix/checks.nix | 6 +- nix/devshell/kernel.nix | 2 +- packages/kernel/default.nix | 4 +- targets/generic-x86_64/flake-module.nix | 1 + targets/lenovo-x1/everything.nix | 28 ++++---- targets/lenovo-x1/guivmExtraModules.nix | 2 +- targets/vm/flake-module.nix | 1 + 42 files changed, 135 insertions(+), 90 deletions(-) delete mode 100644 modules/common/hardware/lenovo-x1/definitions/default.nix create mode 100644 modules/desktop/graphics/hardware.nix rename modules/{common => }/hardware/ax88179_178a.nix (100%) rename modules/{common => }/hardware/definition.nix (100%) create mode 100644 modules/hardware/flake-module.nix rename modules/{common/hardware => hardware/lenovo-x1}/default.nix (67%) create mode 100644 modules/hardware/lenovo-x1/definitions/default.nix rename modules/{common => }/hardware/lenovo-x1/definitions/x1-gen10.nix (100%) rename modules/{common => }/hardware/lenovo-x1/definitions/x1-gen11.nix (100%) rename modules/{common => }/hardware/lenovo-x1/kernel/guest/test/default.nix (100%) rename modules/{common => }/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix (100%) rename modules/{common => }/hardware/x86_64-generic/default.nix (89%) rename modules/{common => }/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/guest/configs/guest.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/guest/default.nix (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/hardening.nix (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/configs/debug.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/configs/networking.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/configs/usb.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/configs/virtualization.config (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/default.nix (95%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/pkvm/default.nix (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/test/default.nix (100%) rename modules/{common => }/hardware/x86_64-generic/kernel/host/test/test-configuration.nix (100%) rename modules/{common/hardware => hardware/x86_64-generic}/x86_64-linux.nix (100%) diff --git a/.reuse/dep5 b/.reuse/dep5 index 4e230012c..e003f052a 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -5,7 +5,7 @@ Source: https://github.com/tiiuae/ghaf Copyright: 2022-2024 Technology Innovation Institute (TII) License: Apache-2.0 -Files: +Files: *.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12 - modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 + modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 modules/jetpack/ghaf_host_hardened_baseline-jetson-orin diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md index 198e81335..75243a855 100644 --- a/docs/src/architecture/hardening.md +++ b/docs/src/architecture/hardening.md @@ -19,13 +19,13 @@ NixOS provides several mechanisms to customize the kernel. The main methods are: * [Declaring kernel command line parameters](https://nixos.wiki/wiki/Linux_kernel#Custom_kernel_commandline): [usage in Ghaf](https://github.com/search?q=repo%3Atiiuae%2Fghaf%20kernelparams&type=code). * [Declaring kernel custom configuration](https://nixos.org/manual/nixos/stable/#sec-linux-config-customizing): [usage in Ghaf](https://github.com/tiiuae/ghaf/blob/main/modules/host/kernel.nix). - + Example of entering the kernel development shell to customize the `.config` and build it: ``` ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86 ... - [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config + [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make menuconfig ... [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make -j$(nproc) @@ -42,8 +42,8 @@ NixOS provides several mechanisms to customize the kernel. The main methods are: * [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker): ``` - [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config - [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/common/hardware/x86_64-generic/kernel/host/configs GS=../modules/common/hardware/x86_64-generic/kernel/guest/configs + [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config + [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/hardware/x86_64-generic/kernel/host/configs GS=../modules/hardware/x86_64-generic/kernel/guest/configs [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ ./scripts/kconfig/merge_config.sh .config $HS/virtualization.config $HS/networking.config $HS/usb.config $HS/user-input-devices.config $HS/debug.config $GS/guest.config $GS/display-gpu.config [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config [+] Kconfig file to check: .config @@ -74,7 +74,7 @@ The host kernel runs on bare metal. The kernel is provided either with Linux ups The host kernel hardening is based on Linux `make tinyconfig`. The default `tinyconfig` fails to assertions on NixOS without modifications. Assertions are fixed in the `ghaf_host_hardened_baseline` Linux configuration under Ghaf -`modules/common/hardware/x86_64-generic/kernel/configs`. Resulting baseline +`modules/hardware/x86_64-generic/kernel/configs`. Resulting baseline kernel configuration is generic for x86_64 hardware architecture devices. In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1. diff --git a/modules/common/default.nix b/modules/common/default.nix index b7b3e2326..e742a04d6 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -9,7 +9,6 @@ ./common.nix ./development ./firewall - ./hardware ./profiles ./security ./tpm2 diff --git a/modules/common/hardware/lenovo-x1/definitions/default.nix b/modules/common/hardware/lenovo-x1/definitions/default.nix deleted file mode 100644 index f18b9813f..000000000 --- a/modules/common/hardware/lenovo-x1/definitions/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - generation, - lib, -}: let - hwDefinition = import (./. + "/x1-${generation}.nix"); -in { - inherit (hwDefinition) mouse; - inherit (hwDefinition) touchpad; - inherit (hwDefinition) disks; - inherit (hwDefinition) network; - inherit (hwDefinition) gpu; - - # Notes: - # 1. This assembles udev rules for different hw configurations (i.e., different mice/touchpads) by adding - # all of them to the configuration. This was chosen for simplicity to not have to provide hw identifier at build, - # but is not ideal and should be changed. - # 2. USB camera "passthrough" is handled by qemu and thus available on host. If peripheral VM is implemented, - # the entire host controller should be passthrough'd using the PCI bus (14.0). In x1, bluetooth and fingerprint - # reader are on this bus. - udevRules = let - mapMouseRules = - builtins.map (d: '' SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="mouse" - ''); - mapTouchpadRules = - builtins.map (d: '' SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="touchpad" - ''); - in '' - # Laptop keyboard - SUBSYSTEM=="input", ATTRS{name}=="AT Translated Set 2 keyboard", GROUP="kvm" - # Laptop TrackPoint - SUBSYSTEM=="input", ATTRS{name}=="TPPS/2 Elan TrackPoint", GROUP="kvm" - # Lenovo X1 integrated webcam - KERNEL=="3-8", SUBSYSTEM=="usb", ATTR{busnum}=="3", ATTR{devnum}=="3", GROUP="kvm" - # External USB GPS receiver - SUBSYSTEM=="usb", ATTR{idVendor}=="067b", ATTR{idProduct}=="23a3", GROUP="kvm" - # Mouse and Touchpad - ${lib.strings.concatStrings (mapMouseRules hwDefinition.mouse)} - ${lib.strings.concatStrings (mapTouchpadRules hwDefinition.touchpad)} - ''; - - virtioInputHostEvdevs = [ - # Lenovo X1 touchpad and keyboard - "/dev/input/by-path/platform-i8042-serio-0-event-kbd" - "/dev/mouse" - "/dev/touchpad" - # Lenovo X1 trackpoint (red button/joystick) - "/dev/input/by-path/platform-i8042-serio-1-event-mouse" - ]; -} diff --git a/modules/desktop/graphics/default.nix b/modules/desktop/graphics/default.nix index 4fb669933..2475919dc 100644 --- a/modules/desktop/graphics/default.nix +++ b/modules/desktop/graphics/default.nix @@ -10,5 +10,6 @@ ./fonts.nix ./window-manager.nix ./boot.nix + ./hardware.nix ]; } diff --git a/modules/desktop/graphics/hardware.nix b/modules/desktop/graphics/hardware.nix new file mode 100644 index 000000000..63eb4a30e --- /dev/null +++ b/modules/desktop/graphics/hardware.nix @@ -0,0 +1,14 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{lib, ...}: +with lib; { + options.ghaf.graphics.hardware = { + networkDevice = mkOption { + type = types.anything; + default = {}; + description = '' + Network device interface for use with graphics stack. + ''; + }; + }; +} diff --git a/modules/desktop/graphics/waybar.config.nix b/modules/desktop/graphics/waybar.config.nix index 76386510d..15e749c82 100644 --- a/modules/desktop/graphics/waybar.config.nix +++ b/modules/desktop/graphics/waybar.config.nix @@ -7,7 +7,7 @@ ... }: let cfg = config.ghaf.graphics.labwc; - networkDevice = config.ghaf.hardware.definition.network.pciDevices; + inherit (config.ghaf.graphics.hardware) networkDevice; inherit (import ../../../lib/icons.nix {inherit pkgs lib;}) svgToPNG; launchpad-icon = svgToPNG "launchpad" ../../../assets/icons/svg/launchpad.svg "38x38"; diff --git a/modules/flake-module.nix b/modules/flake-module.nix index cdbe92292..bb8044a7c 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -4,7 +4,10 @@ # Modules to be exported from Flake # {inputs, ...}: { - imports = [./disko/flake-module.nix]; + imports = [ + ./disko/flake-module.nix + ./hardware/flake-module.nix + ]; flake.nixosModules = { common.imports = [ diff --git a/modules/common/hardware/ax88179_178a.nix b/modules/hardware/ax88179_178a.nix similarity index 100% rename from modules/common/hardware/ax88179_178a.nix rename to modules/hardware/ax88179_178a.nix diff --git a/modules/common/hardware/definition.nix b/modules/hardware/definition.nix similarity index 100% rename from modules/common/hardware/definition.nix rename to modules/hardware/definition.nix diff --git a/modules/hardware/flake-module.nix b/modules/hardware/flake-module.nix new file mode 100644 index 000000000..43b8a1636 --- /dev/null +++ b/modules/hardware/flake-module.nix @@ -0,0 +1,15 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +_: { + flake.nixosModules = { + hw-lenovo-x1.imports = [ + ./definition.nix + ./x86_64-generic + ./lenovo-x1 + ]; + hw-x86_64-generic.imports = [ + ./definition.nix + ./x86_64-generic + ]; + }; +} diff --git a/modules/common/hardware/default.nix b/modules/hardware/lenovo-x1/default.nix similarity index 67% rename from modules/common/hardware/default.nix rename to modules/hardware/lenovo-x1/default.nix index c19ca9dd8..fda48e4eb 100644 --- a/modules/common/hardware/default.nix +++ b/modules/hardware/lenovo-x1/default.nix @@ -2,10 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 { imports = [ - ./x86_64-linux.nix - ./x86_64-generic - ./definition.nix - + ./definitions ./ax88179_178a.nix ]; } diff --git a/modules/hardware/lenovo-x1/definitions/default.nix b/modules/hardware/lenovo-x1/definitions/default.nix new file mode 100644 index 000000000..87c9ae173 --- /dev/null +++ b/modules/hardware/lenovo-x1/definitions/default.nix @@ -0,0 +1,69 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + config, + lib, + ... +}: let + hwDefinition = import (./. + "/x1-${config.ghaf.hardware.generation}.nix"); +in { + imports = [ + ../../definition.nix + ]; + + options.ghaf.hardware.generation = lib.mkOption { + description = "Generation of the hardware configuration"; + type = lib.types.str; + default = "gen11"; + }; + + config = { + ghaf.hardware.definition = { + inherit (hwDefinition) mouse; + inherit (hwDefinition) touchpad; + inherit (hwDefinition) disks; + inherit (hwDefinition) network; + inherit (hwDefinition) gpu; + + virtioInputHostEvdevs = [ + # Lenovo X1 touchpad and keyboard + "/dev/input/by-path/platform-i8042-serio-0-event-kbd" + "/dev/mouse" + "/dev/touchpad" + # Lenovo X1 trackpoint (red button/joystick) + "/dev/input/by-path/platform-i8042-serio-1-event-mouse" + ]; + }; + + disko.devices.disk = hwDefinition.disks; + + # Notes: + # 1. This assembles udev rules for different hw configurations (i.e., different mice/touchpads) by adding + # all of them to the configuration. This was chosen for simplicity to not have to provide hw identifier at build, + # but is not ideal and should be changed. + # 2. USB camera "passthrough" is handled by qemu and thus available on host. If peripheral VM is implemented, + # the entire host controller should be passthrough'd using the PCI bus (14.0). In x1, bluetooth and fingerprint + # reader are on this bus. + services.udev.extraRules = let + mapMouseRules = + builtins.map (d: '' SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="mouse" + ''); + mapTouchpadRules = + builtins.map (d: '' SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="touchpad" + ''); + in '' + # Laptop keyboard + SUBSYSTEM=="input", ATTRS{name}=="AT Translated Set 2 keyboard", GROUP="kvm" + # Laptop TrackPoint + SUBSYSTEM=="input", ATTRS{name}=="TPPS/2 Elan TrackPoint", GROUP="kvm" + # Lenovo X1 integrated webcam + KERNEL=="3-8", SUBSYSTEM=="usb", ATTR{busnum}=="3", ATTR{devnum}=="3", GROUP="kvm" + # Lenovo X1 integrated fingerprint reader + KERNEL=="3-6", SUBSYSTEM=="usb", ATTR{busnum}=="3", ATTR{devnum}=="2", GROUP="kvm" + # Mouse and Touchpad + ${lib.strings.concatStrings (mapMouseRules hwDefinition.mouse)} + ${lib.strings.concatStrings (mapTouchpadRules hwDefinition.touchpad)} + ''; + }; +} diff --git a/modules/common/hardware/lenovo-x1/definitions/x1-gen10.nix b/modules/hardware/lenovo-x1/definitions/x1-gen10.nix similarity index 100% rename from modules/common/hardware/lenovo-x1/definitions/x1-gen10.nix rename to modules/hardware/lenovo-x1/definitions/x1-gen10.nix diff --git a/modules/common/hardware/lenovo-x1/definitions/x1-gen11.nix b/modules/hardware/lenovo-x1/definitions/x1-gen11.nix similarity index 100% rename from modules/common/hardware/lenovo-x1/definitions/x1-gen11.nix rename to modules/hardware/lenovo-x1/definitions/x1-gen11.nix diff --git a/modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix similarity index 100% rename from modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix rename to modules/hardware/lenovo-x1/kernel/guest/test/default.nix diff --git a/modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix similarity index 100% rename from modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix rename to modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix diff --git a/modules/common/hardware/x86_64-generic/default.nix b/modules/hardware/x86_64-generic/default.nix similarity index 89% rename from modules/common/hardware/x86_64-generic/default.nix rename to modules/hardware/x86_64-generic/default.nix index 6ce0c0f5a..6a8fbca1c 100644 --- a/modules/common/hardware/x86_64-generic/default.nix +++ b/modules/hardware/x86_64-generic/default.nix @@ -6,5 +6,6 @@ ./kernel/hardening.nix ./kernel/host ./kernel/host/pkvm + ./x86_64-linux.nix ]; } diff --git a/modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 b/modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 rename to modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 diff --git a/modules/common/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config b/modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config rename to modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config diff --git a/modules/common/hardware/x86_64-generic/kernel/guest/configs/guest.config b/modules/hardware/x86_64-generic/kernel/guest/configs/guest.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/guest/configs/guest.config rename to modules/hardware/x86_64-generic/kernel/guest/configs/guest.config diff --git a/modules/common/hardware/x86_64-generic/kernel/guest/default.nix b/modules/hardware/x86_64-generic/kernel/guest/default.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/guest/default.nix rename to modules/hardware/x86_64-generic/kernel/guest/default.nix diff --git a/modules/common/hardware/x86_64-generic/kernel/hardening.nix b/modules/hardware/x86_64-generic/kernel/hardening.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/hardening.nix rename to modules/hardware/x86_64-generic/kernel/hardening.nix diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/debug.config b/modules/hardware/x86_64-generic/kernel/host/configs/debug.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/debug.config rename to modules/hardware/x86_64-generic/kernel/host/configs/debug.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/networking.config b/modules/hardware/x86_64-generic/kernel/host/configs/networking.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/networking.config rename to modules/hardware/x86_64-generic/kernel/host/configs/networking.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/usb.config b/modules/hardware/x86_64-generic/kernel/host/configs/usb.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/usb.config rename to modules/hardware/x86_64-generic/kernel/host/configs/usb.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config b/modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config rename to modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/virtualization.config b/modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/virtualization.config rename to modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/default.nix b/modules/hardware/x86_64-generic/kernel/host/default.nix similarity index 95% rename from modules/common/hardware/x86_64-generic/kernel/host/default.nix rename to modules/hardware/x86_64-generic/kernel/host/default.nix index 1a2cc2cb9..636923430 100644 --- a/modules/common/hardware/x86_64-generic/kernel/host/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/default.nix @@ -7,7 +7,7 @@ ... }: let # Importing kernel builder function from packages and checking hardening options - buildKernel = import ../../../../../../packages/kernel {inherit config pkgs lib;}; + buildKernel = import ../../../../../packages/kernel {inherit config pkgs lib;}; config_baseline = ../configs/ghaf_host_hardened_baseline-x86; host_hardened_kernel = buildKernel { inherit config_baseline; diff --git a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix rename to modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix diff --git a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix rename to modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix diff --git a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix rename to modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix diff --git a/modules/common/hardware/x86_64-generic/kernel/host/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/test/default.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/test/default.nix rename to modules/hardware/x86_64-generic/kernel/host/test/default.nix diff --git a/modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix rename to modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix diff --git a/modules/common/hardware/x86_64-linux.nix b/modules/hardware/x86_64-generic/x86_64-linux.nix similarity index 100% rename from modules/common/hardware/x86_64-linux.nix rename to modules/hardware/x86_64-generic/x86_64-linux.nix diff --git a/nix/checks.nix b/nix/checks.nix index 47b2c062a..767058c14 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -17,11 +17,11 @@ touch $out ''; module-test-hardened-generic-host-kernel = - pkgs.callPackage ../modules/common/hardware/x86_64-generic/kernel/host/test {inherit pkgs;}; + pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/test {inherit pkgs;}; module-test-hardened-lenovo-x1-guest-guivm-kernel = - pkgs.callPackage ../modules/common/hardware/lenovo-x1/kernel/guest/test {inherit pkgs;}; + pkgs.callPackage ../modules/hardware/lenovo-x1/kernel/guest/test {inherit pkgs;}; module-test-hardened-pkvm-kernel = - pkgs.callPackage ../modules/common/hardware/x86_64-generic/kernel/host/pkvm/test {inherit pkgs;}; + pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/pkvm/test {inherit pkgs;}; } // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages); }; diff --git a/nix/devshell/kernel.nix b/nix/devshell/kernel.nix index 5cdc41249..8702c0d3d 100644 --- a/nix/devshell/kernel.nix +++ b/nix/devshell/kernel.nix @@ -45,7 +45,7 @@ export PS1="[ghaf-kernel-${platform}-devshell:\w]$ " ''; # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707 - checkPhase = "cp ../modules/common/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)"; + checkPhase = "cp ../modules/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)"; }; in { devShells.kernel-x86 = mkKernelShell { diff --git a/packages/kernel/default.nix b/packages/kernel/default.nix index 81ce5cd1f..ff180fe32 100644 --- a/packages/kernel/default.nix +++ b/packages/kernel/default.nix @@ -55,8 +55,8 @@ configfile = config_baseline; }; - generic_host_configs = ../../modules/common/hardware/x86_64-generic/kernel/host/configs; - generic_guest_configs = ../../modules/common/hardware/x86_64-generic/kernel/guest/configs; + generic_host_configs = ../../modules/hardware/x86_64-generic/kernel/host/configs; + generic_guest_configs = ../../modules/hardware/x86_64-generic/kernel/guest/configs; # TODO: refactor - do we yet have any X1 specific host kernel configuration options? # - we could add a configuration fragment for host debug via usb-ethernet-adapter(s) diff --git a/targets/generic-x86_64/flake-module.nix b/targets/generic-x86_64/flake-module.nix index 71cc549ff..cbebddbe4 100644 --- a/targets/generic-x86_64/flake-module.nix +++ b/targets/generic-x86_64/flake-module.nix @@ -41,6 +41,7 @@ self.nixosModules.desktop self.nixosModules.host self.nixosModules.microvm + self.nixosModules.hw-x86_64-generic { ghaf = { diff --git a/targets/lenovo-x1/everything.nix b/targets/lenovo-x1/everything.nix index df3e9c15a..52c03d4f2 100644 --- a/targets/lenovo-x1/everything.nix +++ b/targets/lenovo-x1/everything.nix @@ -18,9 +18,6 @@ ## To here lenovo-x1 = generation: variant: extraModules: let - hwDefinition = import ../../modules/common/hardware/lenovo-x1/definitions { - inherit generation lib; - }; hostConfiguration = lib.nixosSystem { inherit system; modules = @@ -34,6 +31,7 @@ self.nixosModules.microvm self.nixosModules.disko-lenovo-x1-basic-v1 + self.nixosModules.hw-lenovo-x1 ({ pkgs, @@ -42,8 +40,6 @@ }: let powerControl = pkgs.callPackage ../../packages/powercontrol {}; in { - security.polkit.extraConfig = powerControl.polkitExtraConfig; - services.udev.extraRules = hwDefinition.udevRules; time.timeZone = "Asia/Dubai"; # Enable pulseaudio support for host as a service @@ -61,23 +57,23 @@ disko.devices.disk = config.ghaf.hardware.definition.disks; ghaf = { - hardware.definition = hwDefinition; - # To enable guest hardening enable host hardening first + # Hardware definitions + hardware.x86_64.common.enable = true; + hardware.generation = generation; + + hardware.ax88179_178a.enable = true; + security.tpm2.enable = true; + + # Kernel hardening host.kernel.hardening.enable = false; host.kernel.hardening.virtualization.enable = false; host.kernel.hardening.networking.enable = false; host.kernel.hardening.inputdevices.enable = false; - + host.kernel.hardening.hypervisor.enable = false; guest.kernel.hardening.enable = false; guest.kernel.hardening.graphics.enable = false; - host.kernel.hardening.hypervisor.enable = false; - - hardware.x86_64.common.enable = true; - hardware.ax88179_178a.enable = true; - - security.tpm2.enable = true; - + # Virtualization options virtualization.microvm-host.enable = true; virtualization.microvm-host.networkSupport = true; @@ -107,7 +103,7 @@ vms = import ./appvms/default.nix {inherit pkgs config;}; }; - # Enable all the default UI applications + # UI applications profiles = { applications.enable = false; }; diff --git a/targets/lenovo-x1/guivmExtraModules.nix b/targets/lenovo-x1/guivmExtraModules.nix index 3a486f6dc..f05634662 100644 --- a/targets/lenovo-x1/guivmExtraModules.nix +++ b/targets/lenovo-x1/guivmExtraModules.nix @@ -37,7 +37,7 @@ }; guivmExtraConfigurations = { - ghaf.hardware.definition.network.pciDevices = configH.ghaf.hardware.definition.network.pciDevices; + ghaf.graphics.hardware.networkDevice = configH.ghaf.hardware.definition.network.pciDevices; ghaf.profiles.graphics.compositor = "labwc"; ghaf.graphics.launchers = let hostAddress = "192.168.101.2"; diff --git a/targets/vm/flake-module.nix b/targets/vm/flake-module.nix index 992e611aa..ebee299a7 100644 --- a/targets/vm/flake-module.nix +++ b/targets/vm/flake-module.nix @@ -19,6 +19,7 @@ self.nixosModules.desktop self.nixosModules.host self.nixosModules.microvm + self.nixosModules.hw-x86_64-generic { ghaf = {